pki:
  ca: /etc/nebula/vagrant-test-ca.crt
  cert: /etc/nebula/host.crt
  key: /etc/nebula/host.key

# Port Nebula will be listening on
listen:
  host: 0.0.0.0
  port: 4242

# sshd can expose informational and administrative functions via ssh
sshd:
  # Toggles the feature
  enabled: true
  # Host and port to listen on
  listen: 127.0.0.1:2222
  # A file containing the ssh host private key to use
  host_key: /etc/ssh/ssh_host_ed25519_key
  # A file containing a list of authorized public keys
  authorized_users:
{% for user in nebula_users %}
    - user: {{ user.name }}
      keys:
{% for key in user.ssh_auth_keys %}
        - "{{ key }}"
{% endfor %}
{% endfor %}

local_range: 10.168.0.0/16

static_host_map:
# lighthouse
  {{ hostvars[groups['lighthouse'][0]][vagrant_ifce]['ipv4']['address'] | to_nebula_ip }}: ["{{ hostvars[groups['lighthouse'][0]][vagrant_ifce]['ipv4']['address']}}:4242"]

default_route: "0.0.0.0"

lighthouse:
{% if 'lighthouse' in group_names %}
  am_lighthouse: true
  serve_dns: true
{% else %}
  am_lighthouse: false
{% endif %}
  interval: 60
{% if 'generic' in group_names %}
  hosts:
    - {{ hostvars[groups['lighthouse'][0]][vagrant_ifce]['ipv4']['address'] | to_nebula_ip }}
{% endif %}
  
# Configure the private interface
tun:
  dev: nebula1
  # Sets MTU of the tun dev.
  # MTU of the tun must be smaller than the MTU of the eth0 interface
  mtu: 1300

# TODO
# Configure logging level
logging:
  level: info
  format: json

firewall:
  conntrack:
    tcp_timeout: 12m
    udp_timeout: 3m
    default_timeout: 10m
    max_connections: 100,000

  inbound:
    - proto: icmp
      port: any
      host: any
    - proto: any
      port: 22
      host: any
{% if "lighthouse" in groups %}
    - proto: any
      port: 53
      host: any
{% endif %}

  outbound:
    - proto: any
      port: any
      host: any
